OpenVEX is an implementation of the Vulnerability Exploitability Exchange (VEX for short) that is designed to be minimal, compliant, interoperable, and embeddable.
OpenVEX documents are minimal JSON-LD files that capture the minimal requirements for VEX as defined by the VEX working group organized by CISA. The OpenVEX Specification is owned and steered by the community.
The project has a go library (openvex/go-vex) that lets projects generate, transform and consume OpenVEX files. It enables the ingestion of VEX metadata expressed in other VEX implementations.
Work is underway to create the tools software authors and consumers need to
handle VEX metadata. The current flagship project is
vexctl, a CLI to create, merge and
attest VEX documents.
The project has a growing ecosystem with known implementations in:
- Go (original): https://github.com/openvex/go-vex
- .NET: NuGet GitHub
- Rust: https://docs.rs/openvex/latest/openvex/